OpenSSH-RSAAuth-NFS

Darren Moffat Darren.Moffat at eng.sun.com
Sat Jul 28 02:27:17 EST 2001


>I'd like to feed this enhancement back into the OpenBSD build, NFS security
>is not just a problem that relates to Solaris.

NFS on Solaris is secure, please don't propgate the myth that NFS is not
secure - especially on Solaris.

Since SunOS 4.x days NFS could be secured by using Secure RPC which uses
public keys and diffie helman exchange for authentication.

Since Solaris 2.6 (+ the free unbundled SEAM) you can secure NFS using
Kerberos since NFS uses RPCSEC_GSS.  Kerberos can be used for authentication,
integrity and encrypting the data.

NFSv4 has Kerberos (and SPKM/LIPKEY) as mandatory so any vendor claiming
that they have NFSv4 is required to have strong security for NFS.


Now that I've had my rant there are some issues with the patch.

1. I don't believe this works if NFS is used with cachefs since the file
   system won't show up as nfs but cachefs.
   
2. It assumes that all other remote filesystems are ok.

3. It assumes that NFS isn't secure - it maybe.

--
Darren J Moffat




More information about the openssh-unix-dev mailing list